Generate SSL certificates using freeipa

proxmox_turnkey_mariadb_freeipa.script

apt update
apt upgrade -y
apt install -y chrony sudo vim bash-completion 
sed -i 's/DAEMON_OPTS="-F 1"/DAEMON_OPTS="-F 1 -x"/' /etc/default/chrony
touch /etc/.pve-ignore.hostname
hostname -f > /etc/hostname
echo "deb http://deb.debian.org/debian/ bullseye-backports main contrib non-free" > /etc/apt/sources.list.d/debian_11_backports.list
apt update
reboot
apt install -y freeipa-client
ipa-client-install --no-ntp --ssh-trust-dns --mkhomedir --configure
kinit admin #or any user with enough privileges

cat <<EOF > /usr/local/sbin/set-ssl-permissions
#!/bin/bash
chown mysql.mysql /etc/mysql/certificates/{cert.key,cert.pem}
chmod 0400 chown mysql.mysql /etc/mysql/certificates/{cert.key,cert.pem}
openssl rsa -in /etc/mysql/certificates/cert.key -out /etc/mysql/certificates/cert.key
EOF

chmod a+x /usr/local/sbin/set-ssl-permissions

mkdir -p /etc/mysql/certificates/BACKUP/orig/
mv /etc/mysql/certificates/*.key /etc/mysql/certificates/BACKUP/orig/
mv /etc/mysql/certificates/*.pem /etc/mysql/certificates/BACKUP/orig/
sed -i 's/ssl-ca = \/etc\/mysql\/certificates\/ca\.pem/#ssl-ca = \/etc\/mysql\/certificates\/ca.pem/' /etc/mysql/mariadb.conf.d/50-server.cnf
sed -i 's/#require-secure-transport = on/require-secure-transport = on/' /etc/mysql/mariadb.conf.d/50-server.cnf
sed -i '/require-secure-transport = on/a tls_version = TLSv1.3' /etc/mysql/mariadb.conf.d/50-server.cnf
ipa-getcert request -K mysql/`hostname -f`@`hostname -d|tr '[:lower:]' '[:upper:]'` -k /etc/mysql/certificates/cert.key -f /etc/mysql/certificates/cert.pem -I mariadb -C /usr/local/sbin/set-ssl-permissions

ipa-getcert list

systemctl restart mysql